W.I.P Support admin netpolicy

cspell.json

@@ -4,6 +4,7 @@
     "dictionaryDefinitions": [],
     "dictionaries": [],
     "words": [
+        "banp",
         "connlist",
         "netpol",
         "netpols",

docs/connlist_output.md

@@ -3,6 +3,8 @@
 Resource manifests considered for a connectivity analysis:
 - workload resources (such as Kubernetes Pod / Deployment)
 - Kubernetes NetworkPolicy
+- Kubernetes AdminNetworkPolicy
+- Kubernetes BaselineAdminNetworkPolicy 
 - Kubernetes Ingress
 - Openshift Route
 

go.mod

@@ -12,16 +12,17 @@ require (
 	k8s.io/apimachinery v0.29.2
 	k8s.io/cli-runtime v0.29.2
 	k8s.io/client-go v0.29.2
+	sigs.k8s.io/network-policy-api v0.1.5
 	sigs.k8s.io/yaml v1.4.0
 
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
@@ -46,7 +47,7 @@ require (
 	github.com/xlab/treeprint v1.2.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/oauth2 v0.10.0 // indirect
+	golang.org/x/oauth2 v0.12.0 // indirect
 	golang.org/x/sync v0.5.0 // indirect
 	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/term v0.18.0 // indirect

go.sum

@@ -14,12 +14,13 @@ github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxER
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
-github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
+github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
-github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
 github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
@@ -156,8 +157,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8=
-golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
+golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4=
+golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -191,8 +192,8 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
+golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -252,6 +253,8 @@ sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKU
 sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY=
 sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 h1:W6cLQc5pnqM7vh3b7HvGNfXrJ/xL6BDMS0v1V/HHg5U=
 sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3/go.mod h1:JWP1Fj0VWGHyw3YUPjXSQnRnrwezrZSrApfX5S0nIag=
+sigs.k8s.io/network-policy-api v0.1.5 h1:xyS7VAaM9EfyB428oFk7WjWaCK6B129i+ILUF4C8l6E=
+sigs.k8s.io/network-policy-api v0.1.5/go.mod h1:D7Nkr43VLNd7iYryemnj8qf0N/WjBzTZDxYA+g4u1/Y=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=

pkg/cli/evaluate.go

@@ -89,7 +89,8 @@ func updatePolicyEngineObjectsFromDirPath(pe *eval.PolicyEngine, podNames []type
 	objectsList = parser.FilterObjectsList(objectsList, podNames)
 
 	var err error
-	for _, obj := range objectsList {
+	for i := range objectsList {
+		obj := objectsList[i]
 		switch obj.Kind {
 		case parser.Pod:
 			err = pe.InsertObject(obj.Pod)

pkg/internal/netpolerrors/netpol_errors.go

@@ -61,6 +61,21 @@ const (
 	UnmarshalErr            = "cannot unmarshal array into Go value of type unstructured.detector"
 	UnableToDecodeErr       = "unable to decode"
 
+	// errors constants from adminNetworkPolicy and baselineAdminNetworkPolicy
+	SubjectErrTitle                  = "invalid Subject:"
+	oneFieldSetErr                   = "exactly one field must be set"
+	OneFieldSetRulePeerErr           = oneFieldSetErr + " in a rule peer"
+	OneFieldSetSubjectErr            = oneFieldSetErr + " in a subject"
+	UnknownRuleActionErr             = "unrecognized action"
+	ANPPortsError                    = "exactly one field must be set in an AdminNetworkPolicyPort"
+	ANPIngressRulePeersErr           = "from field must be defined and contain at least one item"
+	ANPEgressRulePeersErr            = "to field must be defined and contain at least one item"
+	ANPMissingNameErr                = "missing name for an AdminNetworkPolicy object"
+	ExposureAnalysisDisabledWithANPs = "exposure analysis is disabled when there are admin-network-policies in the input resources"
+
+	BANPAlreadyExists = "only one baseline admin network policy may be provided in input resources; one already exists"
+	BANPNameAssertion = "only one baseline admin network policy with metadata.name=default can be created in the cluster"
+
 	UnknownCommandErr = "unknown command"
 
 	NilRepresentativePodSelectorsErr = "representative pod might not be generated if it does not have any representative selector"
@@ -126,3 +141,25 @@ const colonSep = ": "
 func ConcatErrors(err1, err2 string) string {
 	return err1 + colonSep + err2
 }
+
+// SamePriorityErr returns the error message if a priority appears more than once in different admin-network-policies
+func SamePriorityErr(name1, name2 string) string {
+	return "Admin Network Policies: " + name1 + " and " + name2 + " have same priority;" +
+		"Two policies are considered to be conflicting if they are assigned the same priority."
+}
+
+// PriorityValueErr returns error message of invalid priority value in an admin-network-policy
+func PriorityValueErr(name string, priority int32) string {
+	return fmt.Sprintf("Invalid Priority Value: %d in Admin Network Policy: %q; Priority value must be between 0-1000", priority, name)
+}
+
+const uniquenessRequest = "Only one object of a given kind can have a given name at a time."
+
+// ANPsWithSameNameErr returns error message when there are two admin-network-policies with same name in the manifests
+func ANPsWithSameNameErr(anpName string) string {
+	return fmt.Sprintf("an AdminNetworkPolicy with name %q is already found. %s", anpName, uniquenessRequest)
+}
+
+func NPWithSameNameError(npName string) string {
+	return fmt.Sprintf("NetworkPolicy %q already exists. %s", npName, uniquenessRequest)
+}

pkg/manifests/parser/k8sobj.go

@@ -11,6 +11,7 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	v1 "k8s.io/api/core/v1"
 	netv1 "k8s.io/api/networking/v1"
+	apisv1a "sigs.k8s.io/network-policy-api/apis/v1alpha1"
 
 	ocroutev1 "github.com/openshift/api/route/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -19,23 +20,27 @@ import (
 
 // relevant K8s resource kinds as string values
 const (
-	NetworkPolicy         string = "NetworkPolicy"
-	Namespace             string = "Namespace"
-	Pod                   string = "Pod"
-	ReplicaSet            string = "ReplicaSet"
-	ReplicationController string = "ReplicationController"
-	Deployment            string = "Deployment"
-	StatefulSet           string = "StatefulSet"
-	DaemonSet             string = "DaemonSet"
-	Job                   string = "Job"
-	CronJob               string = "CronJob"
-	List                  string = "List"
-	NamespaceList         string = "NamespaceList"
-	NetworkPolicyList     string = "NetworkPolicyList"
-	PodList               string = "PodList"
-	Service               string = "Service"
-	Route                 string = "Route"
-	Ingress               string = "Ingress"
+	NetworkPolicy                  string = "NetworkPolicy"
+	Namespace                      string = "Namespace"
+	Pod                            string = "Pod"
+	ReplicaSet                     string = "ReplicaSet"
+	ReplicationController          string = "ReplicationController"
+	Deployment                     string = "Deployment"
+	StatefulSet                    string = "StatefulSet"
+	DaemonSet                      string = "DaemonSet"
+	Job                            string = "Job"
+	CronJob                        string = "CronJob"
+	List                           string = "List"
+	NamespaceList                  string = "NamespaceList"
+	NetworkPolicyList              string = "NetworkPolicyList"
+	PodList                        string = "PodList"
+	Service                        string = "Service"
+	Route                          string = "Route"
+	Ingress                        string = "Ingress"
+	AdminNetworkPolicy             string = "AdminNetworkPolicy"
+	AdminNetworkPolicyList         string = "AdminNetworkPolicyList"
+	BaselineAdminNetworkPolicy     string = "BaselineAdminNetworkPolicy"
+	BaselineAdminNetworkPolicyList string = "BaselineAdminNetworkPolicyList" // a list with max 1 object according to apis/v1alpha
 )
 
 // K8sObject holds a an object kind and a pointer of the relevant object
@@ -44,8 +49,10 @@ type K8sObject struct {
 	// namespace object
 	Namespace *v1.Namespace
 
-	// netpol object
-	NetworkPolicy *netv1.NetworkPolicy
+	// netpol objects
+	NetworkPolicy              *netv1.NetworkPolicy
+	AdminNetworkPolicy         *apisv1a.AdminNetworkPolicy
+	BaselineAdminNetworkPolicy *apisv1a.BaselineAdminNetworkPolicy
 
 	// pod object
 	Pod *v1.Pod
@@ -67,6 +74,7 @@ type K8sObject struct {
 	DaemonSet             *appsv1.DaemonSet
 }
 
+//gocyclo:ignore
 func (k *K8sObject) getEmptyInitializedFieldObjByKind(kind string) interface{} {
 	switch kind {
 	case Deployment:
@@ -108,6 +116,12 @@ func (k *K8sObject) getEmptyInitializedFieldObjByKind(kind string) interface{} {
 	case Namespace:
 		k.Namespace = &v1.Namespace{}
 		return k.Namespace
+	case AdminNetworkPolicy:
+		k.AdminNetworkPolicy = &apisv1a.AdminNetworkPolicy{}
+		return k.AdminNetworkPolicy
+	case BaselineAdminNetworkPolicy:
+		k.BaselineAdminNetworkPolicy = &apisv1a.BaselineAdminNetworkPolicy{}
+		return k.BaselineAdminNetworkPolicy
 	}
 	return nil
 }
@@ -191,6 +205,12 @@ var workloadKinds = map[string]bool{
 	ReplicationController: true,
 }
 
+var policyKinds = map[string]bool{
+	NetworkPolicy:              true,
+	AdminNetworkPolicy:         true,
+	BaselineAdminNetworkPolicy: true,
+}
+
 func FilterObjectsList(allObjects []K8sObject, podNames []types.NamespacedName) []K8sObject {
 	podNamesMap := make(map[string]bool, 0)
 	nsMap := make(map[string]bool, 0)
@@ -199,7 +219,8 @@ func FilterObjectsList(allObjects []K8sObject, podNames []types.NamespacedName)
 		nsMap[podNames[i].Namespace] = true
 	}
 	res := make([]K8sObject, 0)
-	for _, obj := range allObjects {
+	for i := range allObjects {
+		obj := allObjects[i]
 		switch obj.Kind {
 		case Namespace:
 			if _, ok := nsMap[obj.Namespace.Name]; ok {

pkg/manifests/parser/parser.go

@@ -36,7 +36,7 @@ func ResourceInfoListToK8sObjectsList(infosList []*resource.Info, l logger.Logge
 		}
 		if k8sObj != nil && k8sObj.Kind != "" {
 			res = append(res, *k8sObj)
-			if k8sObj.Kind == NetworkPolicy {
+			if policyKinds[k8sObj.Kind] {
 				hasNetpols = true
 			}
 			if workloadKinds[k8sObj.Kind] {

pkg/netpol/connlist/connlist.go

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 */
 
 // The connlist package of netpol-analyzer allows producing a k8s connectivity report based on several resources:
-// k8s NetworkPolicy, k8s Ingress, openshift Route
+// k8s NetworkPolicy & AdminNetworkPolicy & BaselineAdminNetworkPolicy, k8s Ingress, openshift Route
 // It lists the set of allowed connections between each pair of different peers (k8s workloads or ip-blocks).
 // Connections between workload to itself are excluded from the output.
 // Connectivity inferred from Ingress/Route resources is between {ingress-controller} to k8s workloads.